Remember the old days of phishing, where poorly written and designed e-mails linked to obviously fake websites, where you were asked to divulge your Social Security number, your mother’s maiden name, even your passwords. Those were simpler times — so much easier to spot a phishing scam. The warnings were clear and the perpetrators clumsy and unsophisticated. My how times have changed.
The Rise of Super Phishing
Phishing isn’t even just phishing anymore. As internet users have grown more sophisticated, so have the criminals and the potential money to be made from an attack. There’s “spear phishing,” where specific individuals are targeted. There’s “clone phishing,” where legitimate emails are repurposed and resent with malicious code. And now there’s “whaling,” where upper management in large organizations are specifically targeted.
Today, phishing is often one part of an elaborate and sophisticated attack that targets an organization’s data and financials, illegally monitor activity over time, and ultimately steal customer and corporate money. And while everyone would love to be able to pull a solution off the shelf, plug it in and stop phishing attacks, technology alone can’t stop it.
Business email compromise (BEC), where hackers pose as corporate executives or officers, accounted for more than $1.2 billion in stolen money between October 2013 and August 2015, according to the FBI.
Social Engineering, Explained
Phishing attacks don’t need to exploit vulnerabilities in code or hardware. They primarily exploit vulnerabilities in human nature — our desire to trust, to do the right thing and to be productive. They trick employees into doing something that they wouldn’t normally do — share their passwords or other critical information — by posing as legitimate actors and organizations. Sometimes that comes in the form of a phony email from a service provider like Google or Microsoft. Other times, it can be a fake communication from IT staff or even a CEO.
The overall effectiveness of a phishing campaign is between 11 and 23 percent, according to the 2015 Data Breach Investigations Report from Verizon.
But attacks aren’t just successful because of employee naiveté. They are usually the result of a lack of end-user security education and training. Schemes have been built to fool even the most astute employees. John Podesta, a savvy politician who had written a 2014 report on cyberprivacy for the Obama administration, was the victim of a phishing attack. (And we all know how that turned out). Phishing attackers only need one or two employees to click on a link or give information to do irreversible damage to an organization.
3 Ways to Thwart Phishing Attacks
The good news is that there are effective ways to prevent phishing attacks. Here are a few basic things I recommend any organization do to stop the threat.
- Perform an assessment of your current environment. Are there existing vulnerabilities or malware? Are there opportunities to enhance your existing countermeasures? Sometimes the most effective changes are the simplest to implement. Don’t let simplicity get in the way of an effective defense.
- Determine your risk tolerance and acquire the software and tools that will make the most sense for your organization. It’s important to stop phishing, but it should not be at the expense of worker productivity. It is important to look at these tools as a part of the whole ecosystem. Often, we are looking for a single solution to a single problem, and that tends to lead us to a hodge-podge of point solutions, instead of cooperative technologies that layer our defenses. While there is no single solution that meets all of our needs, we should view the problem so that our solutions are complimentary, not isolated to that exact issue. This allows for more flexibility as threats evolve.
- Develop a thorough program that trains your employees on the different threats, consequences and necessary actions to be taken related to phishing attacks. Eliminating human error can prevent most attacks. Just as any other threat that we might encounter, awareness and avoidance go a long way toward mitigating the damage. Awareness campaigns, solid communication to your staff, and a simple plan of action can be an integral part of your defense strategy.
Resilience Is Resistance
As attackers continue to develop more sophisticated strategies to attack the data and infrastructure of your organization, we need to develop better strategies to prevent these attacks. By building a resilient environment and educating employees, organizations can greatly reduce the threat of phishing attacks — creating a safer more productive workplace and infrastructure.